So last week I wrote an article for SearchSoftwareQuality on Quick Attacks for Web Security
One of the techniques I mention was Cross-Site Scripting, or xSS. (The x stands for "cross", ya dig?)
In the article I suggest testing for xSS by using an extremely simple, short piece of code I learned from my friend David Christiansen
. Here's the code:
Now if the browser loads the tags as HTML, it will interpret the code as an order to pop up a message box with the single letter 'f' on it. You also won't see the tags, as they'll be interpreted as code.
So they put my article up on the site a little early without notifying me -- this is pretty standard practice and no big deal.
But then I get this Instant Message from Ajay Balamurugadas ...
You guessed it. When he viewed the article, an 'f' popped up and the code to run the xSS attack did not appear! Oh, the Irony!
Yes, dear, these attacks really do work.
Now, don't go worried that SearchSoftwareQuality is insecure; it is secure. The assistant editor who published the article probably pasted into HTML mode instead of Visual mode, so the script tags were interpreted as HTML.
The thing is, that editor was a privileged user. In order to even get the position to do the paste, he had to login. The system trusted
him, and he made an honest mistake.
If my code has been:
I doubt he would have pasted it. Even if he had, there would be a paper trail right back to me; it would be foolish for me to give out something like that.
Which leads me to two other, more common attacks:
- tricking someone to doing something they have rights to but you do not
Escalation of Privilege
- finding ways to do things beyond your (implied) privilege set
My article on web attacks was relatively technical; these other kinds of attacks are more social in nature.
If you'd be interested in seeing a future article in testing (and improving) web security through social
efforts, just let me know. That article practically writes itself ...
For what it's worth, standards.js generates the global navigation for my personal website.